Security DB

With an aim to address rapidly evolving spectrum of cyber threats , We are continuosuly working and developing huge vulnerability and security repository that keep track of all recently released exploits changing the way analysts share and research threat intelligence. Keep your vulnerability database updated with CDI's repository of latest exploits.

Security Audit

Our Web Application Pentest ( WAP) attempts to address the Owasp top 10 & SANS top 20 web application vulnerabilities and other exploitable loopholes of your web application . Along with it our WAP team also test web applications for Business logic flaws that can directly or indirectly effect the functioning of application.

Trainings

We are here to help you solve your biggest query- where and how to start? CDI has brought various courses in Ethical Hacking in Chandigarh where all you technology lovers will be given the much needed push to move forward and create a niche for yourself in the field. From Beginner to Expert lever we have many kinds of training patterns.

Call Us : +91-771045-0011 | +91-771045-0022

In a surprising decision with release of OS X 10.10.3 on April 8th, Apple Inc. has made it clear that it won't be fixing Rootpipe Vulnerability. With the release of new version of OS X, Apple fixed nearly 80 security issues affecting components such as the admin framework, Apache, ATS, CFNetwork, CoreAnimation, FontParser, hypervisor, ImageIO, IOHIDFamily, the kernel, LaunchServices, libnetcore, NTP, OpenSSL, PHP, QuickLook, SceneKit, UniformTypeIdentifiers, and WebKit. The patched vulnerabilities can be exploited for remote code execution, denial-of-service (DoS) attacks, data leakage, and bypassing security mechanisms. But it left this major vulnerability to be patched for previous versions of OS X i.e. OS X 10.7.5, 10.8.2, 10.9.5 and 10.10.2. However, newer version isn't prone to the vulnerability. So the users can update to 10.10.3, but the problem is there are nearly 3 percent of Mac users who will be directly affected by this decision. The percentage counts to 90 million Apple users, which is indeed very large!Wardle said it was an interesting vulnerability, saying it was simply a legitimate albeit undocumented feature of OS. It's unclear what Apple was thinking in adding this feature just because something is undocumented doesn't mean security researchers aren't going to figure it out and abuse it for malicious purposes.

What is Rootpipe Vulnerability

Previously we published the report discussing the Rootpipe Vulnerability discovered by a Swedish Researcher working at Truesec, a security firm.The vulnerability is so serious that even without the authorization, an attacker could gain the highest level of access on the machine called root access, that leads to complete control of the system. In the complete disclosure, Emil explained about this vulnerability in detail. A Hidden backdoor API is responsible for privilege escalation in OS X, even an attacker can gain root access, hence the name 'Rootpipe'.

"The Admin framework in Apple OS X contains a hidden backdoor API to root privileges. It's been there for several years (at least since 2011), I found it in October 2014 and it can be exploited to escalate privileges to root from any user account in the system.The intention was probably to serve the System Preferences app and systemsetup (command-line tool), but any user process can use the same functionality", states the published report.

Further, Emil will be revealing how exactly he found the vulnerability and a complete walkthrough will be provided by him in a security conference soon. He published an Exploit Code with Demo and a PoC (Proof-of-Concept) on the blog.

Mitigation

Simple method to be secure from this vulnerability is to update the OS X to latest version i.e. 10.10.3, and also the latest photo emojis release can be enjoyed. Rest, Apple as confirmed, won't be fixing the previous versions of OS X regarding this vulnerability.

Leave a Reply

Name
Email id
Contact No
Comment